EUROPEAN COMMISSION
Brussels, 19.1.2017
COM(2017) 29 final
REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL
on the joint review of the implementation of the Agreement between the European Union and the United States of America on the processing and transfer of passenger name records to the United States Department of Homeland Security
{SWD(2017) 14 final}
{SWD(2017) 20 final}
REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL
on the joint review of the implementation of the Agreement between the European Union and the United States of America on the processing and transfer of passenger name records to the United States Department of Homeland Security
Introduction
The current Agreement between the United States (US) and the European Union (EU) on the use and transfer of passenger name records (PNR) to the United States Department of Homeland Security (DHS) entered into force on 1 July 2012.
The Agreement provides for a first joint review one year after its entry into force and regularly thereafter as jointly agreed. This joint review was carried out on 1 and 2 July 2015 in Washington and the preparation process for the joint review and subsequent Report are outlined at the end of this Report. Its main focus was to follow up progress on the previous review recommendations from 2013 1 ; the implementation of the Agreement, with particular attention to the method of transmission of PNR as well as the onward transfer of PNR as set out in the relevant articles of the Agreement.
The joint review is based on the methodology developed between the EU and the US teams for the first joint review of the 2004 PNR Agreement, which took place in September 2005, and for the joint review in 2013. The first part of this methodology consisted of a questionnaire sent by the European Commission to the DHS prior to the joint review.
The Commission Staff Working Document (SWD) accompanying this Report consists of five Chapters. Chapter 1 provides an overview of the background to the review and the purpose and procedural aspects of the exercise. Chapter 2 presents an update on the implementation of the recommendations from the review in 2013. Chapter 3 presents the main findings of the joint review of 2015 and the issues to be further addressed by DHS. Chapter 4 presents a summary of the recommendations from the 2015 review. Chapter 5 presents the overall conclusions of the exercise. Finally, the SWD is supplemented by an Annex which contains the questionnaire and DHS replies thereto.
Implementation of the 2013 recommendations
All the recommendations from the 2013 review have either been completed or improvements have been made and the work is ongoing.
As a follow up to a general recommendation of the review of 2013, the DHS Privacy Office proceeded with an internal 'Privacy Compliance Review' 2 (PCR) of the implementation by DHS of the Agreement prior to the joint review of 2015. This PCR was conducted to determine whether DHS is operating in compliance with the standards and representations in the Agreement with the EU and the report was published on 26 June 2015.
The commencement of the six months period triggering the depersonalisation of PNR under Article 8 (1) of the Agreement now starts as from the day the PNR is loaded in US Automated Targeting System (ATS) (the so-called ATS Load Date) which is the first day the data are stored in ATS, instead of the previous practice, which delays applying the six months period (until the last ATS Update of the PNR).
The 2013 review also recommended ensuring as quickly as possible a full move to the “push” method by 1 July 2014, as required under Article 15(4) of the Agreement. At the time of the 2015 review four carriers were still not providing PNR via the "push" method; DHS were providing support to those carriers to develop the capability to "push" PNR data.
The 2013 review recommended that under Article 18 DHS should improve the procedure aimed at notifying EU Member States in case of sharing of EU PNRs between DHS and third countries occurs. In response a CBP officer has been posted to Europol as a liaison officer since July 2014. When the liaison officer identifies a targeted passenger with a nexus to a Member State, he shares this information in a report with the Member State's representatives.
Improvements have also been made to the implementation of Article 13, which relates to redress mechanisms available to individuals. The 2013 review recommended that greater transparency on the redress mechanisms available to passengers under US law should be provided. It is positive that DHS Traveller Redress Inquiry Program (TRIP) is the single point of contact for the public; however the US should continue to review all necessary means to ensure that all passengers are made aware of the redress mechanisms.
Recommendations from the 2015 review
The EU team has continued to find that the US has implemented the Agreement in line with the conditions set out therein. DHS respects its obligations as regards the access rights of passengers and has an oversight mechanism in place to guard against unlawful discrimination. The Commission also welcomes the continued effort to ensure reciprocity and pro-active sharing of analytical information obtained from PNR data with Member States and, where appropriate, with Europol and Eurojust. The masking and deletion of sensitive data are respected and DHS has stated that it has never accessed sensitive data for operational purposes.
DHS continues to implement its commitments in relation to passenger rights, in particular as regards providing appropriate information to passengers and implementing the right to access without any exemptions as provided for under Articles 11, 12 and 13. The enactment of the Judicial Redress Act of 2015 since the joint review took place is a welcome development.
Sharing of data with other domestic agencies is handled by DHS in line with the Agreement. Sharing is carried out on a case-by-case basis, logged and takes place on the basis of written understandings. Sharing of data with third countries is also interpreted strictly, and is also in line with the Agreement. The US applies the same data protection requirements to all PNR it acquires and processes regardless of whether sourced from inside or outside the EU.
However, despite the positive implementation of the Agreement, some improvements remain necessary. Article 2 provides that the scope of the Agreement covers flights with a US nexus. The use of an override mechanism to access non US nexus PNR data is subject to a number of conditions and subject to oversight. The number of overrides has increased since the 2013 review and DHS need to record detailed reasons of why overrides have been used to better understand why they occur.
In relation to Article 5, the number of personnel with access rights to PNR data has increased since the previous review in 2013. Whilst the EU team is satisfied with the oversight mechanisms in place, DHS is invited to continue to monitor the number of staff with access rights to PNR data to ensure that only those with an operational need to use and view the data can do so.
In relation to Article 6, no sensitive data has been accessed during the period of this review. Under DHS rules, DHS provide notice of any such access to the Commission within 48 hours should sensitive data be accessed by DHS staff. It is recommended that DHS should regularly review the list of sensitive data codes to ensure any sensitive data is automatically blocked by the system. Any changes should be shared with the Commission.
DHS uses automated processes to mask out all data elements which could serve to identify the passenger to whom the PNR data relates after the initial six months. This is compliant with Article 8 of the Agreement. However the review found that the number of PNR linked to law enforcement events, and therefore not subject to masking out, is high. DHS is advised to explore this further to understand why the figure is high and to also ensure that PNR data no longer required is masked out, anonymised or deleted as soon as possible. It is positive that DHS has followed the recommendation from the 2013 review and ensures that a DHS user must now justify why PNR is unmasked.
DHS complies with Article 11 of the Agreement by not refusing any passenger access to their data. Response times have increased since the last review in 2013 and DHS should establish whether these response times could be reduced.
Under Article 15, DHS continues to support and encourage all outstanding carriers to develop the capability to "push" PNR. Although outside the timing of the review, it is welcomed that DHS has since extended the application of the "push" method to all airlines which were within the scope of the Agreement at the time of the joint review.
In relation to Articles 16 and 18, DHS should provide further information on exactly what data is being collected under these provisions and be in a position to provide further information on data that has been shared with other US authorities, and police, law enforcement and judicial bodies within the EU.
Finally, for future reviews and the evaluation DHS should ensure that all fact and figures are collected in a consistent way to enable direct comparisons to be made.
For the preparation of this report, the EU team used information contained in the written replies that DHS provided to the EU questionnaire, information obtained from its discussions with DHS personnel, information contained in the aforementioned DHS Privacy Office report, as well as information contained in other publicly available DHS documents.
Preparation process for the joint review and subsequent Report
The Commission sent a questionnaire to DHS on 8 May 2015 in advance of the joint review. The questionnaire contained specific questions in relation to the implementation of the Agreement by DHS. DHS provided written replies to the questionnaire on 12 June 2015.
The Commission also contacted all Member States to determine whether they had any contact with the US regarding PNR.
The EU team conducted the joint review visit on 1 and 2 July 2015 and was granted access to DHS premises, visited the DHS National Targeting Center (NTC) and was given the opportunity to watch the targeting centre in operation.
The DHS Privacy Office published its report on the use and transfer of PNR between the EU and the US on 26 June 2015. Unfortunately this did not provide the EU team with enough time to analyse the report in full before the review visit. The EU team subsequently analysed the Privacy Office report and asked follow-up questions to assist with the completion of the Report on the joint review.
Following the joint review visit, DHS provided in writing additional information that was requested by the EU team during the visit. This information was used to supplement the preparation of this Report.
DHS confirmed on 25 September 2015 that all carriers providing PNR data under the Agreement had developed the ability to use the "push" method to transfer PNR data to the US.
The Commission presented the other Members of the EU team with a draft of the Report on 21 January 2016.
Following incorporation of the comments from the other EU team members into the draft Report, the Commission presented a copy of the draft Report to the US during a meeting of senior officials in Washington D.C. on 17 March 2016. This provided DHS with the opportunity to identify and comment on any inaccuracies or any information that could not be disclosed to public audiences.
DHS subsequently provided an updated version of the questionnaire and informal comments on the draft Report which the EU team met to discuss on 9 June 2016.
Further discussions on the draft report continued between the Commission and DHS, including a senior official level meeting in Washington D.C. on 14 July 2016. The Commission advised the DHS in August 2016 that, to the extent that they still disagreed with or wished to provide additional context to the Report, they could provide written comments to be attached to the report under Article 23(3) of the Agreement
Report from the Commission to the European Parliament and the Council and Commission Staff
Working Paper on the joint review of the implementation of the Agreement between the European Union and the United States of America on the processing and transfer of Passenger Name Records (PNR) to the United States Department of Homeland Security, 8-9 July 2013.
Privacy Compliance Review - "Report on the use and transfer of passenger name records between the
European Union and the United States", DHS Privacy Office, June 26, 2015.
http://www.dhs.gov/sites/default/files/publications/privacy_pcr_pnr_review_06262015.pdf.